Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61755

LDAP Plugin - Group matching with user groups issue

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • ldap-plugin
    • None
    • Jenkins 2.222.1
      OpenJDK 11.0.6+10-post-Ubuntu-1ubuntu118.04.1
      Ubuntu 18.04 LTS
      ldap plugin version 1.21

      Project-based Matrix Authorization Strategy
      Groups entered by samaccountname are not giving any permissions to its members. Group looks like is correctly recognized.
      Groups entered by cn/name are working correct.

      Configuration details:
      User search filter: (& (objectCategory=Person)(objectclass=user)(samaccountname={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2)) )
      Group search filter: (& (objectclass=group) (| (samaccountname={0})(cn={0}) ) )
      Group membership|Search for LDAP groups containing user|Group membership filter: (member={0})

      Example: Member of below group will have only 'Configure' permissions.

          [JENKINS-61755] LDAP Plugin - Group matching with user groups issue

          println("1a: " + Jenkins.instance.securityRealm.loadGroupByGroupname('test-group-name', true).getName())
          println("1b: " + Jenkins.instance.securityRealm.loadGroupByGroupname('test-group-name', true).getDisplayName())
          println("1c: " + Jenkins.instance.securityRealm.loadGroupByGroupname('test-group-name', true))
          
          println("2a: " + Jenkins.instance.securityRealm.loadGroupByGroupname('test-group-samaccountname', true).getName())
          println("2b: " + Jenkins.instance.securityRealm.loadGroupByGroupname('test-group-samaccountname', true).getDisplayName())
          println("2c: " + Jenkins.instance.securityRealm.loadGroupByGroupname('test-group-samaccountname', true))
          
          println("3a: " + Jenkins.instance.securityRealm.loadGroupByGroupname('test-group-name', true).getMembers())
          println("3b: " + Jenkins.instance.securityRealm.loadGroupByGroupname('test-group-samaccountname', true).getMembers())
          
          println("4a: " + Jenkins.instance.securityRealm.loadUserByUsername('Test-User-samaccount'))
          println("4b: " + Jenkins.instance.securityRealm.loadUserByUsername('Test-User-samaccount').getAuthorities())
          

          Result:
          1a: Test-Group-Name
          1b: Test-Group-Name
          1c: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@47ad682
          2a: Test-Group-Name
          2b: Test-Group-Name
          2c: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@242f7016
          3a: [Test-User-Name]
          3b: [Test-User-Name]
          4a: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@7dcc241a
          4b: [authenticated, Test-Group-Name]

          Paweł Kaczanowski added a comment - println( "1a: " + Jenkins.instance.securityRealm.loadGroupByGroupname( 'test-group-name' , true ).getName()) println( "1b: " + Jenkins.instance.securityRealm.loadGroupByGroupname( 'test-group-name' , true ).getDisplayName()) println( "1c: " + Jenkins.instance.securityRealm.loadGroupByGroupname( 'test-group-name' , true )) println( "2a: " + Jenkins.instance.securityRealm.loadGroupByGroupname( 'test-group-samaccountname' , true ).getName()) println( "2b: " + Jenkins.instance.securityRealm.loadGroupByGroupname( 'test-group-samaccountname' , true ).getDisplayName()) println( "2c: " + Jenkins.instance.securityRealm.loadGroupByGroupname( 'test-group-samaccountname' , true )) println( "3a: " + Jenkins.instance.securityRealm.loadGroupByGroupname( 'test-group-name' , true ).getMembers()) println( "3b: " + Jenkins.instance.securityRealm.loadGroupByGroupname( 'test-group-samaccountname' , true ).getMembers()) println( "4a: " + Jenkins.instance.securityRealm.loadUserByUsername( 'Test-User-samaccount' )) println( "4b: " + Jenkins.instance.securityRealm.loadUserByUsername( 'Test-User-samaccount' ).getAuthorities()) Result: 1a: Test-Group-Name 1b: Test-Group-Name 1c: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@47ad682 2a: Test-Group-Name 2b: Test-Group-Name 2c: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@242f7016 3a: [Test-User-Name] 3b: [Test-User-Name] 4a: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@7dcc241a 4b: [authenticated, Test-Group-Name]

            Unassigned Unassigned
            pawel_kaczanowski_syncron Paweł Kaczanowski
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: